DEV Community

Cover image for Handling AWS WAF Capacity Limits with Terraform
Mukul Sharma
Mukul Sharma

Posted on

Handling AWS WAF Capacity Limits with Terraform

When managing AWS WAF resources using Terraform, one common issue is exceeding the Web ACL Capacity Units (WCUs) limit, which can lead to deployment failures. This blog post will guide you through understanding WCUs, checking capacity using AWS CLI, and integrating this process into your Terraform workflow to ensure smooth deployments.

Understanding WCUs in AWS WAF

AWS WAF uses Web ACL Capacity Units (WCUs) to measure the resources required to run rules, rule groups, and Web ACLs. Each rule type has a different capacity requirement based on its complexity and processing needs. The capacity limits help AWS manage the performance and cost of running WAF rules efficiently.

  • Simple Rules: Require fewer WCUs (e.g., size constraint rules).
  • Complex Rules: Require more WCUs (e.g., regex pattern sets).

For detailed WCU calculations, refer to the AWS WAF documentation oai_citation:1,AWS WAF web ACL capacity units (WCUs) - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced.

Common Error

When you exceed the WCU limits, you may encounter the following error:

WAFInvalidParameterException: Error reason: You exceeded the capacity limit for a rule group or web ACL.
Enter fullscreen mode Exit fullscreen mode

Checking WCU Requirements with AWS CLI

Terraform lacks built-in functionality to check WCUs before applying configurations. However, AWS CLI provides a check-capacity command to verify the WCU requirements. Here’s how you can use it:

  1. Define WAF Rules in JSON: Create a JSON file (rules.json) with the rules you want to include:
   {
     "Rules": [
       {
         "Name": "Rule1",
         "Priority": 1,
         "Statement": {
           "ByteMatchStatement": {
             "SearchString": "BadBot",
             "FieldToMatch": {
               "UriPath": {}
             },
             "TextTransformations": [
               {
                 "Priority": 0,
                 "Type": "NONE"
               }
             ]
           }
         },
         "Action": {
           "Block": {}
         },
         "VisibilityConfig": {
           "SampledRequestsEnabled": true,
           "CloudWatchMetricsEnabled": true,
           "MetricName": "Rule1Metric"
         }
       }
     ]
   }
Enter fullscreen mode Exit fullscreen mode
  1. Run the check-capacity Command: Use the AWS CLI to check the capacity:
   aws wafv2 check-capacity --scope REGIONAL --rules file://rules.json
Enter fullscreen mode Exit fullscreen mode

The output will look like this:

{
    "Capacity": 15
}
Enter fullscreen mode Exit fullscreen mode

This command returns the total WCU requirement for your specified rules. Ensure it doesn't exceed 5,000 WCUs for a single Web ACL.

Integrating Capacity Check with Terraform

To avoid deployment failures due to WCU limits, integrate the capacity check into your Terraform workflow using a shell script:

  1. Create a Shell Script: Write a script (check_capacity.sh) to perform the capacity check:
   #!/bin/bash

   CAPACITY=$(aws wafv2 check-capacity --scope REGIONAL --rules file://rules.json | jq '.Capacity')

   if [ "$CAPACITY" -gt 5000 ]; then
     echo "Error: Capacity units exceeded. Current capacity: $CAPACITY"
     exit 1
   else
     echo "Capacity check passed. Current capacity: $CAPACITY"
     export TERRAFORM_CAPACITY_CHECK=passed
   fi
Enter fullscreen mode Exit fullscreen mode
  1. Integrate with Terraform: Modify your Terraform workflow to include the script:
   ./check_capacity.sh

   if [ "$TERRAFORM_CAPACITY_CHECK" == "passed" ]; then
     terraform apply
   else
     echo "Terraform apply aborted due to capacity issues."
   fi
Enter fullscreen mode Exit fullscreen mode

By incorporating this script, you ensure that your Terraform deployments only proceed if the WCU requirements are within limits, preventing potential failures and downtime.

Conclusion

Handling WCU limits is crucial for successful AWS WAF deployments using Terraform. By leveraging the check-capacity command in AWS CLI and integrating it into your Terraform workflow, you can proactively manage capacity and avoid deployment issues. This approach ensures a smoother, more reliable infrastructure management process especially until terraform starts to support a similar built-in functionality.

For further reading, check the official AWS WAF documentation on WCUs and the AWS CLI check-capacity command reference.

Top comments (2)

Collapse
 
costis profile image
Costis Pan

Thanks for the write up, much appreciated.

Question: After rules.json has been validated with aws wafv2 check-capacity , how can we use it in our terraform script as a definition for waf rules?

If this is not possible, what workflow would you recommend?

Collapse
 
mukulsharma profile image
Mukul Sharma • Edited

Heya, if I am getting your question write. You're trying to use the same rules.json to actually define and setup the rule in your .tf file.

At the moment, this is not possible and this is where the redundancy comes in. You have to first write the aws api accepted format in rules.json and then you have to repeat that and write the terraform accepted format for your rule/rule_group.

Ideally, terraform should be able to fetch the needed capacity (which would omit the extra step of drafting rules.json to see the needed capacity). This open issue in terraform-aws-provider is trying to do that.